Risk assessment relating to the Opal card Essay

ACCG358 – Assignment 2

Table of Contentss

1.0Executive Drumhead

1.1Introduction

1.2Body

1.3Conclusion

2.0Background to the Case

3.0IS Hazards

3.1Usability Hazard

3.1.1Loss of informations hazard

3.1.2Readability Hazard

3.2Security Hazard

3.2.1Fraudulent Activity Risk

3.2.2Theft of personal informations

4.0Audit Plan and Aims

4.1Audit Plan

4.2Audit Aims

5.0Interview Questions and Documents

6.0Recommendation

7.0References

1.0 Executive Summary

1.1 Introduction

1.2 Body

1.3 Decision

2.0 Background to the Case

The Opal card is a contactless smartcard that is the new centerpiece of the new electronic ticketing system implemented by Cubic Transportation Systems ( CTS ) . It allows the user to exceed up a balance either through manual burden ( via Opal top-up machines ) , or linked to a recognition card. This balance is used against Opal card readers to scan where the trip begins and ends, automatically ciphering the menu and subtracting it from the balance on the card. In the event that the trip has been started, but non finished ( scanned merely one time within a twenty-four hours ) , a default menu will be charged to the card. The Opal card needs to stay by the Identification cards – Contactless integrated circuit cards ( ISO/IEC 14443 ) criterion, picturing its physical dimensions ( 85.60mm ? 54.00mm ? 0.76 millimeter ) , radio frequence ( 13.56 MHz ) , anti-collision procedures ( bit-collision sensing protocol ) and transmittal protocols ( half-duplex block transmittal protocol ) . This new ticketing system would be bit by bit introduced throughout the greater Sydney part, across all 190 Stationss of the Sydney train web by 28th March 2014 and so farther extended to include “52 more Stationss on the South Coast Line to Wollongong, Port Kembla and Bomaderry, every bit good as the Southern Highlands Line to Goulburn” by April 4. ( McKenny, 2014 ) . It will necessitate to suit more than “304 million riders per twelvemonth, averaging at about 1.5 million trips each working day” ( PRWEB, 2014 )

3.0 IS Risks

Information System ( IS ) Risks can be in many parts of an IS, such as security, privateness, economic and execution hazard. In order to accurately mensurate the hazard degree of each hazard proposed, the below audit hazard theoretical account is used to cipher the audit hazard:

3.1 Usability Risk

Serviceability hazards are defined to be the hazards that emerge as the Opal card is used on a more regular footing, such as loss of informations and readability hazard.

3.1.1 Loss of informations hazard

The nucleus functionality of the Opal card is that it allows the balance to be stored on the smartcard and recovered when needed. The hazard of losing this information can happen as opal cards are frequently placed within billfolds, where they are exposed to a reasonably rough status ( for a micro chip ) . An estimated degree of AR = 0.8 ? 0.3 ? 0.1 = 2.4 % . The chance of micro chips being damaged is reasonably easy, nevertheless in order to observe or rectify the corruptness, assorted methods can be implemented. The impact of informations loss on a smartcard can be damaging to the repute, as it shops a balance. In the event that this occurs often and legion Opal cards are damaged, creditability is lost for CTS.

3.1.2 Readability Risk

The Opal card will finally necessitate to be able to cover with an norm of 1.5million trips per working twenty-four hours. This sum of users may do terrible holds for users in accessing the train station if the readability of Opal cards is low. This low readability could be caused by deteriorated micro chips, drawn-out use of a individual card and deficient wireless power to go through through stuff ( billfold ) .The estimated AR is 0.1 ? 0.8 ? 0.2 = 1.6 % . The chief concern chance of the Opal card is to better the ordination of tickets to riders. In the event that the Opal card is unable to make this, it would ensue in similar ailments and bad repute that City Rail experienced.

3.2 Security Hazard

Security hazards are defined to be any signifier of hazard that consequences in a possible menace to the user or system, this includes deceitful balance in Opal card or leak of personal information ( locations travelled with Opal Card ) .

3.2.1 Deceitful Activity Hazard

Opal cards are exposed to condemnable activity, as the card itself is physically within the user’s custodies and able to be experimented with at any clip. This means that they may be able to utilize physically disassembly the card, such as utilizing acids or abradants to obtain unrestricted entree to the on-board microprocessor. The AR is estimated to be: 0.1 ? 0.9 ? 0.3, where it is extremely improbable, but theoretically possible, as it means that information on the smartcard can be recovered if the encoding was a symmetric block cypher, or information can be recovered about the asymmetric cyphers used. There’s no agencies of control mechanism for the reader determine whether a valid smartcard contains deceitful information or non.

3.2.2 Larceny of personal informations

The Opal card must follow the ISO 14443 criterion, where the card must actively let a read of up to 3 to 5cm in pattern. This means that with dedicated amplifiers, aerials and sniffers, it is theoretically possible to widen this up to 1.5m ( Sum, 2012 ) . This was proven in the Trifinite Experiment, where Bluetooth was able to be extended from 10m to 1.7km ( Trifinite, 2004 ) . AR = 0.01 ? 1.0 ? 0.9 = 0.9 % . There is presently no control mechanism that prevents the receiving of opal card informations on a non-opal card reader. However, the likely-hood of it being a practical job is rather low.

4.0 Audit Plan and Aims

4.1 Audit Plan

The audit program is based off James Hall’s construction of an IT Audit ( James Hall, 2012 ) . He categorises the audit program into three stages:

1. Audited account Planning: The procedure which an hearer examines the nature of the concern and gathers information to achieve a thorough apprehension of the concern and it’s environment. Specifically mentioning to the Opal card, this means garnering the exact specifications, such as physical dimensions, wireless frequence anti-collision procedures, transmittal protocols and security encoding methods used. This allows the hearer to find what the built-in hazards are, and cipher audit hazard.
2. Trial of controls: The procedure where the control mechanisms are tested, finding whether they are effectual and efficient at what they are making. The controls are so measured depending on the quality of internal controls and given a step ( control hazard ) which can be used to cipher audit hazard subsequently. Specifically, this means proving the control mechanisms of the Opal Card, such as the proof procedure, to find the boundaries of what is an acceptable “Opal” card.
3. Substantial Testing: The stage consists of in-depth analysis of informations, where the information is exhaustively investigated from its beginning, bespeaking the truth of the sample informations. Specifically, the balances that are kept in the Opal card should be sampled and determined if there were any bogus or corrupted informations in them, leting the hearer to find the sensing hazard of corrupted informations.

4.2 Audit Aims

The aim of the audit is to find if/whether CTS has mitigated at least 50 % of the hazard.

5.0 Interview Questions and Documents

6.0 Recommendation

7.0 Mentions

• PRWEB, S. , 2014. Cubic Transportation Systems and New South Wales Government Complete Opal Card Rollout on Sydney Trains. Cubic Transportation Systems and the New South Wales ( NSW ) province authorities are observing the successful – and in front of agenda – rollout of the new Opal smart card to all train Stationss in the greater Sydney country. , [ Online ] . 1, 1. Available at: hypertext transfer protocol: //www.prweb.com/releases/2014/04/prweb11779056.htm [ Accessed 08 May 2014 ] .
• McKenny, L. , 2014. Sydney Morning Herald. Opal card available on all Sydney trains by following Friday Read more: hypertext transfer protocol: //www.smh.com.au/nsw/opal-card-available-on-all-sydney-trains-by-next-friday-20140320-353×4.html # ixzz32HYxeWtt, [ Online ] . 1, 1. Available at: hypertext transfer protocol: //www.smh.com.au/nsw/opal-card-available-on-all-sydney-trains-by-next-friday-20140320-353×4.html [ Accessed 08 May 2014 ] .
• Texas Instruments. 2010. ISO/IEC 14443 Overview. [ ONLINE ] Available at: hypertext transfer protocol: //e2e.ti.com/cfs-file.ashx/__key/telligent-evolution-components-attachments/00-667-01-00-00-30-14-15/ISO14443-Overview_2D00_v5.ppt. [ Accessed 11 May 14 ] .
• Sum, E. , 2012. Contactless Payment Insecurity. Choping the NFC recognition cards for merriment and debit ; ) , [ Online ] . 1, 21. Available at: hypertext transfer protocol: //2012.hackitoergosum.org/blog/wp-content/uploads/2012/04/HES-2012-rlifchitz-contactless-payments-insecurity.pdf [ Accessed 14 May 2014 ] .
• Trifinite. 2004. Trifinite.stuff. [ ONLINE ] Available at: hypertext transfer protocol: //trifinite.org/trifinite_stuff_lds.html. [ Accessed 14 May 14 ] .
• Hall, J. A. , 2012, Information Technology Auditing, International Edition 3e, South-Western Cengage Learning, ch1, pg10-11

Page | 1